Citrix: NetScaler applet hangs at 99% “Logging in”

When a Citrix NetScaler is configured using a graphical interface a browser is used to connect to the Citrix NetScaler. Starting NetScaler release 10 a part of the configuration is migrated from Java Applets to HTML5, but most configuration are still depending on Java Applets.

When you open a more advanced configuration the Java Applet is loaded automatically., If it hangs at 1% “Downloading Applet…” you might want to read this article.If it hangs at 99% “Logging in” continue reading.

Logging in

After loading the Java Applet and trying to log in the following error is raised.

Login Failed - No Response from System. Please check your connection. (Connection timed out: connect)

Diagram

In my case the Citrix NetScaler was placed in a different VLAN than my client was, the VLANs where separated by a firewall.

What is good to know is that for the normal GUI  communication is done via TCP port 80 for non-secure (HTTP) or TCP port 443 for secure (HTTPS). The Java Applet communicates uses different ports: TCP port 3010 for secure or TCP port 3008 for non-secure .

 

Source: Communication ports used by Citrix Technologies [PDF]

Port Query

To determine if your client could reach the port you can use Port Query GUI (provided by Microsoft – link). This standalone utility can verify if ports can be reached and tells you within seconds if this is the problem.

  • Specify the destination IP or FQDN of the NetScaler IP (NSIP)
  • Select query type Manually input query ports
    • Ports to query: 80,443,3008,3010
    • Protocol: TCP
  • Click on Query

 

The query should return LISTENING for port 80+3010 for non-secure communication or 443+3008 for secure communication.

Port Query

This example clearly shows that TCP port 3008 and 3010 are filtered by a firewall.

 

 

.

Was once an enthusiastic PepperByte employee but is now working at Citrix. His blogs are still valuable to us and we hope to you too.